CAEP Hub Action Reference

CAEP Hub Actions are the resulting layer of your CAEP Hub Rules and Workflows — they carry out real changes against identity providers, infrastructure, and SaaS applications in response to trigger conditions. SGNL provides dozens of out-of-the-box actions covering standards-based CAEP/SSF event transmission as well as proprietary APIs for leading platforms including Microsoft Entra ID, AWS, Okta, Salesforce, and more.

One or more parameter expressions can appear anywhere in an action field — including the address override field — letting you build fully dynamic requests from triggered graph data, or action responses. Examples of use can be found here.

Below is the list of supported Actions in CAEP Hub, with their inputs and outputs.


Azure Active Directory / Entra ID

Protected System Type: AzureAD-1.0.0

SettingValue
Addresshttps://graph.microsoft.com/v1.0
AuthenticationOAuth2 Client Credentials (recommended) or OAuth2 Authorization Code

For Authorization Code Flow, ensure the offline_access scope is configured in addition to https://graph.microsoft.com/.default.


Add to Group

nameKey: aad-add-to-group

Description: Add a user to a group in Azure Active Directory

Inputs

InputRequiredTypeDescriptionExample
userPrincipalNameYestextUPN of the user to add[email protected]
groupIdYestextAzure AD Group ID (GUID)89a3f3e2-1234-5678-abcd-ef1234567890
addressNotextAzure AD API base URL overridehttps://graph.microsoft.com/v1.0

Outputs

OutputTypeDescription
statustextOperation result (success, failed, recovered, etc.)
userPrincipalNametextUser Principal Name that was processed
groupIdtextAzure AD Group ID that was processed
addedbooleanWhether the user was successfully added to the group
messagetextAdditional context (e.g., user already a member)
addresstextThe Azure AD API base URL used

Assign Role to User

nameKey: aad-assign-role-to-user

Description: Assign a directory role to a user in Azure Active Directory

Inputs

InputRequiredTypeDescriptionExample
userPrincipalNameYestextUPN of the user to assign the role to[email protected]
roleIdYestextDirectory role ID (GUID)62e90394-69f5-4237-9190-012177145e10
directoryScopeIdNotextDirectory scope for the assignment (default /)/
justificationNotextReason for the role assignmentApproved by SGNL.ai
addressNotextAzure AD API base URL overridehttps://graph.microsoft.com/v1.0

Outputs

OutputTypeDescription
statustextOperation result
userPrincipalNametextUser principal name that was processed
roleIdtextRole ID that was assigned
userIdtextUser’s directory object ID
requestIdtextRole assignment request ID
addresstextThe Azure AD API base URL used

Disable User

nameKey: aad-disable-user

Description: Disable a user account in Azure Active Directory

Inputs

InputRequiredTypeDescriptionExample
userPrincipalNameYestextUPN of the user to disable[email protected]
addressNotextAzure AD API base URL overridehttps://graph.microsoft.com/v1.0

Outputs

OutputTypeDescription
statustextOperation result
userPrincipalNametextThe user principal name that was disabled
accountEnabledbooleanAccount enabled status (should be false)
addresstextThe Azure AD API base URL used

Enable User

nameKey: aad-enable-user

Description: Enable a user account in Azure Active Directory

Inputs

InputRequiredTypeDescriptionExample
userPrincipalNameYestextUPN of the user to enable[email protected]
addressNotextAzure AD API base URL overridehttps://graph.microsoft.com/v1.0

Outputs

OutputTypeDescription
statustextOperation result
userPrincipalNametextThe user principal name that was enabled
accountEnabledbooleanAccount enabled status (should be true)
addresstextThe Azure AD API base URL used

Remove from Group

nameKey: aad-remove-from-group

Description: Remove a user from a group in Azure Active Directory

Inputs

InputRequiredTypeDescriptionExample
userPrincipalNameYestextUPN of the user to remove[email protected]
groupIdYestextAzure AD Group ID (GUID)89a3f3e2-1234-5678-abcd-ef1234567890
addressNotextAzure AD API base URL overridehttps://graph.microsoft.com/v1.0

Outputs

OutputTypeDescription
statustextOperation result
userPrincipalNametextThe user principal name that was processed
groupIdtextThe group ID that was processed
removedbooleanWhether the user was successfully removed
userIdtextThe Azure AD object ID of the user
messagetextOptional context message
addresstextThe Azure AD API base URL used

Entra Azure AD Revoke Session

nameKey: aad-revoke-session

Description: Revoke all Azure AD sign-in sessions for a user

Inputs

InputRequiredTypeDescriptionExample
userPrincipalNameYestextUPN of the user whose sessions should be revoked[email protected]
addressNotextAzure AD API base URL overridehttps://graph.microsoft.com/v1.0

Outputs

OutputTypeDescription
statustextOperation result
userPrincipalNametextThe user principal name whose sessions were revoked
valuebooleantrue if revocation was successful
addresstextThe Azure AD API base URL used

Unassign Role from User

nameKey: aad-unassign-role-from-user

Description: Remove a directory role from a user in Azure Active Directory

Inputs

InputRequiredTypeDescriptionExample
userPrincipalNameYestextUPN of the user to remove the role from[email protected]
roleIdYestextDirectory role ID to remove62e90394-69f5-4237-9190-012177145e10
directoryScopeIdNotextDirectory scope for the role assignment (default /)/
justificationNotextReason for removalRemoved by SGNL.ai
addressNotextAzure AD API base URL overridehttps://graph.microsoft.com/v1.0

Outputs

OutputTypeDescription
statustextOperation result
userPrincipalNametextUser principal name that was processed
roleIdtextRole ID that was removed
userIdtextUser’s directory object ID
requestIdtextRole removal request ID
addresstextThe Azure AD API base URL used

Active Directory (On-Premise)

Protected System Type: ActiveDirectory-1.0.0

SettingValue
AddressLDAP(S) server URL, e.g. ldaps://ad.corp.example.com:636
AuthenticationBasic (LDAP bind username and password)

Password updates (ad-create-user, ad-update-user) require LDAPS (port 636) to transmit credentials securely.


Add to Group

nameKey: ad-add-to-group

Description: Add a user to a group in on-premise Active Directory via LDAP

Inputs

InputRequiredTypeDescriptionExample
baseDNYestextBase DN to search for the userDC=corp,DC=example,DC=com
samAccountNameYestextUser’s sAMAccountNamealice
groupDNYestextDistinguished Name of the target groupCN=Admins,OU=Groups,DC=corp,DC=example,DC=com
addressNotextLDAP server URL overrideldaps://ad.corp.example.com:636
dry_runNobooleanValidate without making changesfalse

Outputs

OutputTypeDescription
statustextOperation result (success, dry_run_completed, halted)
userDNtextResolved Distinguished Name of the user
groupDNtextDistinguished Name of the group that was processed
addedbooleanWhether the user was newly added to the group
baseDNtextThe base DN used to search for the user
samAccountNametextThe sAMAccountName used to identify the user
messagetextAdditional status message or error details
addresstextThe LDAP server URL that was used

Create Group

nameKey: ad-create-group

Description: Create a new group in on-premise Active Directory via LDAP

Inputs

InputRequiredTypeDescriptionExample
groupDNYestextDistinguished Name for the new groupCN=My Group,OU=Groups,DC=example,DC=com
samAccountNameYestextSAM account name for the groupMyGroup
descriptionNotextGroup descriptionSGNL-managed group
groupTypeNotextsecurity or distribution (default security)security
groupScopeNotextglobal, domain_local, or universal (default global)global
managedByNotextDN of the managing user or groupCN=Admin,OU=Users,DC=example,DC=com
additionalAttributesNotextJSON object of additional LDAP attributes{"info":"managed by SGNL"}
dry_runNobooleanValidate without making changesfalse
successIfAlreadyExistsNobooleanReturn success if group already existsfalse
addressNotextLDAP server URL overrideldaps://ad.corp.example.com:636

Outputs

OutputTypeDescription
statustextOperation result (success, halted, dry_run_completed)
groupDNtextDistinguished Name of the created group
createdbooleanWhether the group was created
alreadyExistedbooleantrue if group already existed (when successIfAlreadyExists is enabled)
groupTypetextType of group created
groupScopetextScope of group created
attributesarrayList of attribute names that were set
addresstextLDAP server address used

Create User

nameKey: ad-create-user

Description: Create a new user in on-premise Active Directory via LDAP

Inputs

InputRequiredTypeDescriptionExample
userDNYestextDistinguished Name for the new userCN=Alice Smith,OU=Users,DC=example,DC=com
samAccountNameYestextSAM account name (sAMAccountName)alice.smith
userPrincipalNameYestextUser Principal Name[email protected]
firstNameYestextFirst name (givenName)Alice
lastNameYestextLast name (sn)Smith
displayNameNotextDisplay nameAlice Smith
emailNotextEmail address (mail)[email protected]
companyNotextCompany nameAcme Corp
departmentNotextDepartmentEngineering
titleNotextJob titleEngineer
enabledNobooleanCreate account as enabled (default false)true
passwordNotextInitial password (requires LDAPS)TempP@ssw0rd!
changePasswordAtNextLoginNobooleanForce password change on first loginfalse
additionalAttributesNotextJSON object of additional LDAP attributes{"telephoneNumber":"555-1234"}
dry_runNobooleanValidate without making changesfalse
successIfAlreadyExistsNobooleanReturn success if user already existsfalse
addressNotextLDAP server URL overrideldaps://ad.corp.example.com:636

Outputs

OutputTypeDescription
statustextOperation result (success, halted)
userDNtextDistinguished Name of the created user
createdbooleanWhether the user was created
alreadyExistedbooleantrue if user already existed (when successIfAlreadyExists is enabled)
attributesarrayList of attribute names that were set
enabledbooleanWhether the account was created as enabled
addresstextLDAP server address used

Disable User

nameKey: ad-disable-user

Description: Disable an enabled user account in on-premise Active Directory via LDAP

Inputs

InputRequiredTypeDescriptionExample
baseDNYestextBase DN to search for the userDC=corp,DC=example,DC=com
samAccountNameYestextUser’s sAMAccountNamealice
addressNotextLDAP server URL overrideldaps://ad.corp.example.com:636
dry_runNobooleanValidate without making changesfalse

Outputs

OutputTypeDescription
statustextOperation result
userDNtextResolved Distinguished Name of the user
disabledbooleanWhether the user was newly disabled (false if already disabled)
previousUACnumberuserAccountControl value before the operation
newUACnumberuserAccountControl value after the operation
baseDNtextThe base DN used to search for the user
samAccountNametextThe sAMAccountName used to identify the user
addresstextThe LDAP server URL that was used

Enable User

nameKey: ad-enable-user

Description: Enable a disabled user account in on-premise Active Directory via LDAP

Inputs

InputRequiredTypeDescriptionExample
baseDNYestextBase DN to search for the userDC=corp,DC=example,DC=com
samAccountNameYestextUser’s sAMAccountNamealice
addressNotextLDAP server URL overrideldaps://ad.corp.example.com:636
dry_runNobooleanValidate without making changesfalse

Outputs

OutputTypeDescription
statustextOperation result
userDNtextResolved Distinguished Name of the user
enabledbooleanWhether the user was newly enabled (false if already enabled)
previousUACnumberuserAccountControl value before the operation
newUACnumberuserAccountControl value after the operation
baseDNtextThe base DN used to search for the user
samAccountNametextThe sAMAccountName used to identify the user
addresstextThe LDAP server URL that was used

Move User

nameKey: ad-move-user

Description: Move a user to a new parent container/OU in Active Directory via LDAP

Inputs

InputRequiredTypeDescriptionExample
baseDNYestextBase DN to search for the userDC=corp,DC=example,DC=com
samAccountNameYestextUser’s sAMAccountNamealice
newParentDNYestextTarget container/OU DNOU=DisabledUsers,DC=example,DC=com
newNameNotextNew name for the user (without CN= prefix)Alice Smith
dry_runNobooleanValidate without making changesfalse
addressNotextLDAP server URL overrideldaps://ad.corp.example.com:636

Outputs

OutputTypeDescription
statustextOperation result (success, halted, dry_run_completed)
userDNtextResolved Distinguished Name of the user
previousDNtextOriginal Distinguished Name before move
newDNtextNew Distinguished Name after move
movedbooleanWhether the user was moved
renamedbooleanWhether the user was renamed during the move
baseDNtextThe base DN used to search for the user
samAccountNametextThe sAMAccountName used to identify the user
newParentDNtextTarget parent container/OU DN
addresstextLDAP server address used

Remove from Group

nameKey: ad-remove-from-group

Description: Remove a user from a group in on-premise Active Directory via LDAP

Inputs

InputRequiredTypeDescriptionExample
baseDNYestextBase DN to search for the userDC=corp,DC=example,DC=com
samAccountNameYestextUser’s sAMAccountNamealice
groupDNYestextDistinguished Name of the target groupCN=Admins,OU=Groups,DC=corp,DC=example,DC=com
addressNotextLDAP server URL overrideldaps://ad.corp.example.com:636
dry_runNobooleanValidate without making changesfalse

Outputs

OutputTypeDescription
statustextOperation result
userDNtextResolved Distinguished Name of the user
groupDNtextDistinguished Name of the group that was processed
removedbooleanWhether the user was newly removed from the group
baseDNtextThe base DN used to search for the user
samAccountNametextThe sAMAccountName used to identify the user
messagetextAdditional status message or error details
addresstextThe LDAP server URL that was used

Update User

nameKey: ad-update-user

Description: Update user attributes in on-premise Active Directory via LDAP

Inputs

InputRequiredTypeDescriptionExample
baseDNYestextBase DN to search for the userDC=corp,DC=example,DC=com
samAccountNameNotextsAMAccountName of the user (required if objectGUID is not provided)alice
objectGUIDNotextImmutable objectGUID (used instead of samAccountName when renaming)xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
newSamAccountNameNotextNew SAM account name if renamingalice.smith
userPrincipalNameNotextNew User Principal Name[email protected]
firstNameNotextFirst name (givenName)Alice
lastNameNotextLast name (sn)Smith
displayNameNotextDisplay nameAlice Smith
emailNotextEmail address (mail)[email protected]
companyNotextCompany nameAcme Corp
departmentNotextDepartmentEngineering
titleNotextJob titleSenior Engineer
passwordNotextNew password (requires LDAPS)NewP@ssw0rd!
changePasswordAtNextLoginNobooleanForce password change on next loginfalse
additionalAttributesNotextJSON object of additional LDAP attributes to update{"telephoneNumber":"555-5678"}
dry_runNobooleanValidate without making changesfalse
addressNotextLDAP server URL overrideldaps://ad.corp.example.com:636

Outputs

OutputTypeDescription
statustextOperation result (success, halted)
userDNtextResolved Distinguished Name of the user
modifiedbooleanWhether user attributes were modified
attributesarrayList of attribute names that were updated
baseDNtextThe base DN used to search for the user
samAccountNametextThe sAMAccountName used to identify the user
objectGUIDtextThe objectGUID used to identify the user
addresstextLDAP server address used

AWS

Protected System Type: AWS-1.0.0

SettingValue
AddressNot required for IAM/Identity Center operations
AuthenticationAWS IAM credentials (Access Key ID and Secret Access Key) configured as secrets on the Protected System

AWS actions use AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY credentials rather than the standard Bearer/OAuth2 methods. Ensure the IAM user or role has the necessary permissions for each action.


Add to Identity Center Group

nameKey: aws-add-to-identity-center-group

Description: Add a user to an AWS Identity Center (SSO) group

Inputs

InputRequiredTypeDescriptionExample
userNameYestextUsername of the user to addalice
identityStoreIdYestextIdentity Store IDd-1234567890
groupIdYestextID of the group to add the user toa1b2c3d4-5678-...
regionYestextAWS regionus-east-1

Outputs

OutputTypeDescription
userNametextThe username that was added
groupIdtextThe group ID the user was added to
userIdtextThe resolved user ID from the username
membershipIdtextThe ID of the created group membership
addedbooleanWhether the user was successfully added
addedAtdatetimeWhen the addition completed (ISO 8601)

Remove from Identity Center Group

nameKey: aws-remove-from-identity-center-group

Description: Remove a user from an AWS Identity Center (SSO) group

Inputs

InputRequiredTypeDescriptionExample
userNameYestextUsername of the user to removealice
identityStoreIdYestextIdentity Store IDd-1234567890
groupIdYestextID of the group to remove the user froma1b2c3d4-5678-...
regionYestextAWS regionus-east-1

Outputs

OutputTypeDescription
userNametextThe username that was removed
groupIdtextThe group ID the user was removed from
userIdtextThe resolved user ID from the username
removedbooleanWhether the user was successfully removed
removedAtdatetimeWhen the removal completed (ISO 8601)

AWS Revoke Session

nameKey: aws-revoke-session

Description: Revoke AWS sessions by applying a deny policy for tokens issued before a specific time

Inputs

InputRequiredTypeDescriptionExample
roleNameYestextName of the IAM role to apply the revocation policy toMyAppRole
regionYestextAWS regionus-east-1
conditionsNotextAdditional conditions to append to the policy (JSON){"StringEquals":{"aws:PrincipalTag/env":"prod"}}
tokenIssueTimeNodatetimeRevoke tokens issued before this time (defaults to now)${sgnl.time.now}

Outputs

OutputTypeDescription
roleNametextThe role name that was updated
policyNametextThe name of the policy that was applied
tokenIssueTimedatetimeThe token issue time used for revocation
appliedbooleanWhether the policy was successfully applied
appliedAtdatetimeWhen the policy was applied (ISO 8601)

Revoke User Access Tokens

nameKey: aws-revoke-user-access-tokens

Description: Revoke all AWS access tokens for a user by deleting all their access keys

Inputs

InputRequiredTypeDescriptionExample
userNameYestextIAM username whose access keys should be deletedalice
regionYestextAWS regionus-east-1

Outputs

OutputTypeDescription
userNametextThe user whose access tokens were revoked
keysDeletednumberNumber of access keys that were deleted
revokedbooleanWhether the revocation was successful
revokedAtdatetimeWhen the revocation completed (ISO 8601)

Box

Protected System Type: Box-1.0.0

SettingValue
Addresshttps://api.box.com
AuthenticationBearer, Basic, OAuth2 Client Credentials, or OAuth2 Authorization Code

Box Revoke Session

nameKey: box-revoke-session

Description: Terminate all active sessions for a Box user

Inputs

InputRequiredTypeDescriptionExample
userIdYestextThe Box user ID to revoke sessions for12345678
userLoginYesemailThe Box user email/login[email protected]
addressNotextBox API base URL overridehttps://api.box.com

Outputs

OutputTypeDescription
userIdtextThe Box user ID that was processed
userLogintextThe Box user login/email that was processed
sessionsTerminatedbooleanWhether the sessions were successfully terminated
terminatedAtdatetimeWhen the termination completed (ISO 8601)
messagetextResponse message from the Box API

CAEP / Security Event Tokens

Protected System Type: CAEPTransmitter-1.0.0

SettingValue
AddressSET delivery endpoint (e.g., https://customer.okta.com/)
AuthenticationBearer (signed JWTs are generated automatically; the Bearer token here authenticates to the stream receiver’s management API if required)

CAEP actions transmit Security Event Tokens (SETs) to a CAEP-compliant receiver according to the Shared Signals Framework (SSF). The subject identifies the affected principal, and the audience field specifies the intended recipient.


Assurance Level Change

nameKey: caep-assurance-level-change

Description: Transmits a Continuous Access Evaluation Protocol (CAEP) Assurance Level Change event as a Security Event Token (SET) to a specified endpoint

Inputs

InputRequiredTypeDescriptionExample
subjectYestextSubject identifier JSON{"format":"email","email":"[email protected]"}
audienceYestextIntended recipient of the SEThttps://customer.okta.com/
namespaceYestextAssurance level namespaceNIST-AAL
current_levelYestextCurrent assurance level value2
previous_levelNotextPrevious assurance level value1
change_directionNotextincrease or decreaseincrease
initiating_entityNotextEntity that initiated the changepolicy
reason_adminNotextAdmin-readable reason (JSON i18n or plain string)MFA upgraded
reason_userNotextUser-readable reasonYour security level has been updated
addressNotextDestination URL overridehttps://customer.okta.com/

Valid namespace values: RFC8176, RFC6711, ISO-IEC-29115, NIST-IAL, NIST-AAL, NIST-FAL

Outputs

OutputTypeDescription
statustextTransmission status (success or failed)
statusCodenumberHTTP response status code
bodytextHTTP response body
retryablebooleanWhether the error is retryable

Credential Change

nameKey: caep-credential-change

Description: Transmits a Continuous Access Evaluation Protocol (CAEP) Credential Change event as a Security Event Token (SET) to a specified endpoint

Inputs

InputRequiredTypeDescriptionExample
subjectYestextSubject identifier JSON{"format":"email","email":"[email protected]"}
audienceYestextIntended recipient of the SEThttps://customer.okta.com/
credential_typeYestextType of credential that changedpassword
change_typeYestextType of change: create, revoke, update, or deleterevoke
friendly_nameNotextHuman-readable name for the credentialCorporate Password
x509_issuerNotextX.509 certificate issuer (for x509 credential type)CN=corp-ca
x509_serialNotextX.509 certificate serial number0x1A2B3C
fido2_aaguidNotextFIDO2 Authenticator Attestation GUIDadce0002-...
initiating_entityNotextEntity that initiated the changeadmin
reason_adminNotextAdmin-readable reasonPassword expired
reason_userNotextUser-readable reasonYour password has been reset
addressNotextDestination URL overridehttps://customer.okta.com/

Outputs

OutputTypeDescription
statustextTransmission status
statusCodenumberHTTP response status code
bodytextHTTP response body
retryablebooleanWhether the error is retryable

Device Compliance Change

nameKey: caep-device-compliance-change

Description: Transmits a Continuous Access Evaluation Protocol (CAEP) Device Compliance Change event as a Security Event Token (SET) to a specified endpoint

Inputs

InputRequiredTypeDescriptionExample
subjectYestextSubject identifier JSON{"format":"email","email":"[email protected]"}
audienceYestextIntended recipient of the SEThttps://customer.okta.com/
previous_statusYestextPrevious compliance status: compliant or not-compliantcompliant
current_statusYestextCurrent compliance status: compliant or not-compliantnot-compliant
initiating_entityNotextEntity that initiated the changesystem
reason_adminNotextAdmin-readable reasonDevice out of compliance
reason_userNotextUser-readable reasonYour device is no longer compliant
addressNotextDestination URL overridehttps://customer.okta.com/

Outputs

OutputTypeDescription
statustextTransmission status
statusCodenumberHTTP response status code
bodytextHTTP response body
retryablebooleanWhether the error is retryable

Session Revoked

nameKey: caep-session-revoked

Description: Transmits CAEP Session Revoked events as Security Event Tokens (SET)

Inputs

InputRequiredTypeDescriptionExample
subjectYestextSubject identifier JSON{"format":"email","email":"[email protected]"}
audienceYestextIntended recipient of the SEThttps://customer.okta.com/
initiating_entityNotextWhat initiated the session revocationpolicy
reason_adminNotextAdministrative reason for revocationPolicy violation detected
reason_userNotextUser-facing reasonYour session has been ended
addressNotextDestination URL overridehttps://customer.okta.com/

Outputs

OutputTypeDescription
statustextOperation result (success or failed)
statusCodenumberHTTP status code from the SET receiver
bodytextResponse body from the SET receiver
retryablebooleanWhether the error is retryable

Token Claims Change

nameKey: caep-token-claims-change

Description: Transmits a Continuous Access Evaluation Protocol (CAEP) Token Claims Change event as a Security Event Token (SET) to a specified endpoint

Inputs

InputRequiredTypeDescriptionExample
subjectYestextSubject identifier JSON{"format":"email","email":"[email protected]"}
audienceYestextIntended recipient of the SEThttps://customer.okta.com/
claimsYestextJSON of changed token claims{"role":"viewer","department":"finance"}
initiating_entityNotextEntity that initiated the changeadmin
reason_adminNotextAdmin-readable reasonRole downgraded
reason_userNotextUser-readable reasonYour access level has changed
addressNotextDestination URL overridehttps://customer.okta.com/

Outputs

OutputTypeDescription
statustextTransmission status
statusCodenumberHTTP response status code
bodytextHTTP response body
retryablebooleanWhether the error is retryable

Generic

Generic actions are available on any Protected System regardless of type. They are useful for custom integrations or one-off HTTP calls.


SSE Transmitter

nameKey: generic-sse-transmitter

Description: Transmits Security Event Tokens (SET) for CAEP and other security events

Inputs

InputRequiredTypeDescriptionExample
typeYestextSecurity event type URIhttps://schemas.openid.net/secevent/caep/event-type/session-revoked
audienceYestextIntended recipienthttps://customer.okta.com/
subjectYestextSubject identifier JSON{"format":"email","email":"[email protected]"}
eventPayloadYestextEvent-specific payload as JSON string{"initiating_entity":"admin"}
addressNotextDestination URL overridehttps://customer.example.com/push
addressSuffixNotextSuffix to append to the base address/api/events
customClaimsNotextCustom JWT claims as JSON string{"tenant":"acme"}
subjectFormatNotextSubject placement: SubjectInEventClaims (CAEP 2.0/Okta) or SubjectInSubId (CAEP 3.0)SubjectInSubId

Outputs

OutputTypeDescription
statustextTransmission status (success or failed)
statusCodenumberHTTP status code from the SET receiver
bodytextResponse body from the SET receiver
retryablebooleanWhether the error is retryable

Webhook

nameKey: generic-webhook

Description: Generic webhook action for making custom HTTP requests

Inputs

InputRequiredTypeDescriptionExample
methodYestextHTTP methodPOST
addressNotextFull URL (overrides Protected System address)https://api.example.com/users/suspend
addressSuffixNotextPath suffix to append to the base address/v2/disable
requestBodyNotextJSON request body{"userId":"${trigger.User.id}"}
requestHeadersNotextJSON object of custom headers{"X-Custom-Header":"value"}
acceptedStatusCodesNoarrayAdditional HTTP status codes to treat as success[404, 409]

Outputs

OutputTypeDescription
statustextOperation result status
dataobjectResponse data containing statusCode, body, success, and executedAt

Access nested response fields as ${outputs['generic-webhook'].data.body.<field>}.


Google

Protected System Type: Google-1.0.0

SettingValue
Addresshttps://iam.googleapis.com (Workforce Identity) or https://admin.googleapis.com (Workspace)
AuthenticationBearer, OAuth2 Client Credentials, or OAuth2 Authorization Code

Google Workspace session revocation requires a service account with domain-wide delegation or OAuth2 Authorization Code with the Admin SDK https://www.googleapis.com/auth/admin.directory.user.security scope.


Delete Workforce User

nameKey: google-delete-workforce-user

Description: Delete a workforce user from Google Cloud IAM Workforce Identity

Inputs

InputRequiredTypeDescriptionExample
subjectIdYestextSubject ID of the workforce user to deletecontractor-alice
workforcePoolIdYestextID of the workforce poolmy-workforce-pool
addressNotextGoogle IAM API base URL overridehttps://iam.googleapis.com

Outputs

OutputTypeDescription
workforcePoolIdtextThe workforce pool ID that was processed
subjectIdtextThe subject ID that was deleted
deletedbooleanWhether the user was successfully deleted
alreadyDeletedbooleanWhether the user was already deleted (404 response)
deletedAtdatetimeWhen the deletion completed (ISO 8601)

Google Revoke Session

nameKey: google-revoke-session

Description: Sign out a Google Workspace user from all web and device sessions

Inputs

InputRequiredTypeDescriptionExample
userKeyYestextUser’s primary email, alias email, or unique user ID[email protected]
addressNotextGoogle Admin SDK API base URL overridehttps://admin.googleapis.com

Outputs

OutputTypeDescription
userKeytextThe user key that was signed out
sessionRevokedbooleanWhether the session was successfully revoked
revokedAtdatetimeWhen the session was revoked (ISO 8601)

Undelete Workforce User

nameKey: google-undelete-workforce-user

Description: Undelete a workforce user from Google Cloud IAM Workforce Identity

Inputs

InputRequiredTypeDescriptionExample
subjectIdYestextSubject ID of the workforce user to undeletecontractor-alice
workforcePoolIdYestextID of the workforce poolmy-workforce-pool
addressNotextGoogle IAM API base URL overridehttps://iam.googleapis.com

Outputs

OutputTypeDescription
workforcePoolIdtextThe workforce pool ID that was processed
subjectIdtextThe subject ID that was undeleted
undeletedbooleanWhether the user was successfully undeleted
alreadyActivebooleanWhether the user was already active (not deleted)
undeletedAtdatetimeWhen the undeletion completed (ISO 8601)

HashiCorp Boundary

Protected System Type: HashiCorpBoundary-1.0.0

SettingValue
AddressYour Boundary deployment base URL, e.g. https://boundary.example.com
AuthenticationBasic (Boundary admin username and password)

The Boundary admin credentials are used to obtain a token for API operations. The authMethodId input on each action specifies which Boundary auth method to use during login.


Add User to Group

nameKey: hashicorp-boundary-add-user-to-group

Description: Add a user to a group in HashiCorp Boundary

Inputs

InputRequiredTypeDescriptionExample
groupIdYestextThe Boundary group ID to add the user tog_1234567890
userIdYestextThe Boundary user ID to addu_1234567890
authMethodIdYestextThe Boundary auth method ID for loginampw_1234567890

Outputs

OutputTypeDescription
groupIdtextThe group ID that was processed
userIdtextThe user ID that was added
authMethodIdtextThe auth method ID used for authentication
userAddedbooleanWhether the user was successfully added to group
addedAtdatetimeWhen the operation completed (ISO 8601)

Cancel Sessions

nameKey: hashicorp-boundary-cancel-sessions

Description: Cancel active sessions in HashiCorp Boundary

Inputs

InputRequiredTypeDescriptionExample
sessionIdYestextThe Boundary session ID to cancels_1234567890
authMethodIdYestextThe Boundary auth method ID for loginampw_1234567890

Outputs

OutputTypeDescription
sessionIdtextThe session ID that was processed
authMethodIdtextThe auth method ID used for authentication
sessionCancelledbooleanWhether the session was successfully cancelled
cancelledAtdatetimeWhen the cancellation completed (ISO 8601)

Remove User from Group

nameKey: hashicorp-boundary-remove-user-from-group

Description: Remove a user from a group in HashiCorp Boundary

Inputs

InputRequiredTypeDescriptionExample
groupIdYestextThe Boundary group ID to remove the user fromg_1234567890
userIdYestextThe Boundary user ID to removeu_1234567890
authMethodIdYestextThe Boundary auth method ID for loginampw_1234567890

Outputs

OutputTypeDescription
groupIdtextThe group ID that was processed
userIdtextThe user ID that was removed
authMethodIdtextThe auth method ID used for authentication
userRemovedbooleanWhether the user was successfully removed from group
removedAtdatetimeWhen the operation completed (ISO 8601)

Okta

Protected System Type: Okta-1.0.0

SettingValue
Addresshttps://your-tenant.okta.com
AuthenticationBearer — use an Okta API token prefixed with SSWS (e.g., SSWS SomeToken)

Okta also supports proprietary SSF/CAEP event types (Device Risk Change, User Risk Change) transmitted as SETs to Okta’s Security Event Token endpoint.


Assign User to Group

nameKey: okta-assign-user-to-group

Description: Assign an Okta user to a group for access management

Inputs

InputRequiredTypeDescriptionExample
userIdYestextThe Okta user ID to assign00u1a2b3c4d5e6f7
groupIdYestextThe Okta group ID00g1a2b3c4d5e6f7
addressNotextOkta API base URL overridehttps://your-tenant.okta.com

Outputs

OutputTypeDescription
userIdtextThe user ID that was assigned
groupIdtextThe group ID the user was assigned to
assignedbooleanWhether the user was successfully assigned
addresstextThe Okta API base URL used
assignedAtdatetimeWhen the user was assigned (ISO 8601)

Create User

nameKey: okta-create-user

Description: Create a new user in Okta with profile attributes and group assignments

Inputs

InputRequiredTypeDescriptionExample
emailYestextUser’s email address[email protected]
loginYestextUser’s login/username[email protected]
firstNameYestextFirst nameAlice
lastNameYestextLast nameSmith
departmentNotextDepartmentEngineering
employeeNumberNotextEmployee numberEMP-001
groupIdsNotextComma-separated Okta group IDs00g1...,00g2...
additionalProfileAttributesNotextJSON of additional profile attributes{"title":"Engineer"}
addressNotextOkta API base URL overridehttps://your-tenant.okta.com

Outputs

OutputTypeDescription
idtextThe Okta user ID of the created user
statustextThe user’s status in Okta
createddatetimeWhen the user was created (ISO 8601)
activateddatetimeWhen the user was activated (ISO 8601)
statusChangeddatetimeWhen the user’s status last changed (ISO 8601)
lastLogindatetimeWhen the user last logged in (ISO 8601)
lastUpdateddatetimeWhen the user was last updated (ISO 8601)
profileobjectThe user’s profile information
groupIdsarrayList of group IDs the user was assigned to
addresstextThe Okta API base URL used

Device Risk Change

nameKey: okta-device-risk-change

Description: Transmits an Okta Device Risk Change event as a Security Event Token (SET) to a specified endpoint

Inputs

InputRequiredTypeDescriptionExample
subjectYestextSubject identifier JSON{"format":"email","email":"[email protected]"}
audienceYestextIntended recipienthttps://your-tenant.okta.com/
previous_levelYestextPrevious device risk levellow
current_levelYestextCurrent device risk levelhigh
initiating_entityNotextEntity that initiated the changesystem
reason_adminNotextAdmin-readable reasonDevice jailbreak detected
reason_userNotextUser-readable reasonDevice risk level changed
addressNotextDestination URL overridehttps://your-tenant.okta.com/

Valid risk levels: high, medium, low, secure, none

Outputs

OutputTypeDescription
statustextTransmission status
statusCodenumberHTTP response status code
bodytextHTTP response body
retryablebooleanWhether the error is retryable

Okta Revoke Session

nameKey: okta-revoke-session

Description: Revoke all active sessions for an Okta user

Inputs

InputRequiredTypeDescriptionExample
userIdYestextThe Okta user ID whose sessions should be revoked00u1a2b3c4d5e6f7
addressNotextOkta API base URL overridehttps://your-tenant.okta.com

Outputs

OutputTypeDescription
userIdtextThe user ID whose sessions were revoked
sessionsRevokedbooleanWhether sessions were successfully revoked
addresstextThe Okta API base URL used
revokedAtdatetimeWhen the sessions were revoked (ISO 8601)

Suspend User

nameKey: okta-suspend-user

Description: Suspend an Okta user account, preventing them from logging in

Inputs

InputRequiredTypeDescriptionExample
userIdYestextThe Okta user ID to suspend00u1a2b3c4d5e6f7
addressNotextOkta API base URL overridehttps://your-tenant.okta.com

Outputs

OutputTypeDescription
userIdtextThe user ID that was suspended
suspendedbooleanWhether the user was successfully suspended
addresstextThe Okta API base URL used
suspendedAtdatetimeWhen the user was suspended (ISO 8601)
statustextThe user’s status in Okta after suspension

Unassign User from Group

nameKey: okta-unassign-user-from-group

Description: Remove an Okta user from a group to revoke access

Inputs

InputRequiredTypeDescriptionExample
userIdYestextThe Okta user ID to remove00u1a2b3c4d5e6f7
groupIdYestextThe Okta group ID to remove the user from00g1a2b3c4d5e6f7
addressNotextOkta API base URL overridehttps://your-tenant.okta.com

Outputs

OutputTypeDescription
userIdtextThe user ID that was removed
groupIdtextThe group ID the user was removed from
removedbooleanWhether the user was successfully removed
addresstextThe Okta API base URL used
removedAtdatetimeWhen the user was removed (ISO 8601)

Unsuspend User

nameKey: okta-unsuspend-user

Description: Unsuspend an Okta user account, allowing them to log in again

Inputs

InputRequiredTypeDescriptionExample
userIdYestextThe Okta user ID to unsuspend00u1a2b3c4d5e6f7
addressNotextOkta API base URL overridehttps://your-tenant.okta.com

Outputs

OutputTypeDescription
userIdtextThe user ID that was unsuspended
unsuspendedbooleanWhether the user was successfully unsuspended
addresstextThe Okta API base URL used
unsuspendedAtdatetimeWhen the user was unsuspended (ISO 8601)
statustextThe user’s status after unsuspension (typically ACTIVE)

Update User

nameKey: okta-update-user

Description: Update an existing user’s profile in Okta using their login/email as identifier

Inputs

InputRequiredTypeDescriptionExample
loginYestextUser’s login/email identifier[email protected]
firstNameNotextNew first nameAlice
lastNameNotextNew last nameSmith
emailNotextNew email address[email protected]
departmentNotextNew departmentPlatform
employeeNumberNotextNew employee numberEMP-002
additionalProfileAttributesNotextJSON of additional profile attributes{"title":"Staff Engineer"}
addressNotextOkta API base URL overridehttps://your-tenant.okta.com

Outputs

OutputTypeDescription
idtextThe Okta user ID of the updated user
statustextThe user’s status in Okta
createddatetimeWhen the user was created (ISO 8601)
activateddatetimeWhen the user was activated (ISO 8601)
statusChangeddatetimeWhen the user’s status last changed (ISO 8601)
lastLogindatetimeWhen the user last logged in (ISO 8601)
lastUpdateddatetimeWhen the user was last updated (ISO 8601)
profileobjectThe user’s updated profile information
addresstextThe Okta API base URL used

Update User by ID

nameKey: okta-update-user-by-id

Description: Update an existing user’s profile in Okta using their Okta userId as identifier

Inputs

InputRequiredTypeDescriptionExample
userIdYestextUser’s Okta userId00u1a2b3c4d5e6f7
firstNameNotextNew first nameAlice
lastNameNotextNew last nameSmith
emailNotextNew email address[email protected]
departmentNotextNew departmentPlatform
employeeNumberNotextNew employee numberEMP-002
additionalProfileAttributesNotextJSON of additional profile attributes{"title":"Staff Engineer"}
addressNotextOkta API base URL overridehttps://your-tenant.okta.com

Outputs

OutputTypeDescription
idtextThe Okta user ID of the updated user
statustextThe user’s status in Okta
createddatetimeWhen the user was created (ISO 8601)
activateddatetimeWhen the user was activated (ISO 8601)
statusChangeddatetimeWhen the user’s status last changed (ISO 8601)
lastLogindatetimeWhen the user last logged in (ISO 8601)
lastUpdateddatetimeWhen the user was last updated (ISO 8601)
profileobjectThe user’s updated profile information
addresstextThe Okta API base URL used

User Risk Change

nameKey: okta-user-risk-change

Description: Transmits an Okta User Risk Change event as a Security Event Token (SET) to a specified endpoint

Inputs

InputRequiredTypeDescriptionExample
subjectYestextSubject identifier JSON{"format":"email","email":"[email protected]"}
audienceYestextIntended recipienthttps://your-tenant.okta.com/
previous_levelYestextPrevious user risk levellow
current_levelYestextCurrent user risk levelhigh
initiating_entityNotextEntity that initiated the changepolicy
reason_adminNotextAdmin-readable reasonSuspicious login activity
reason_userNotextUser-readable reasonYour risk level has changed
addressNotextDestination URL overridehttps://your-tenant.okta.com/

Valid risk levels: high, medium, low, secure, none

Outputs

OutputTypeDescription
statustextTransmission status
statusCodenumberHTTP response status code
bodytextHTTP response body
retryablebooleanWhether the error is retryable

SailPoint IdentityNow

Protected System Type: SailpointIdentityNow-1.0.0

SettingValue
Addresshttps://your-tenant.api.identitynow.com
AuthenticationOAuth2 Client Credentials (using the SailPoint client ID and secret from your IdentityNow tenant)

Disable Account

nameKey: sailpoint-identity-now-disable-account

Description: Disable an account in SailPoint IdentityNow

Inputs

InputRequiredTypeDescriptionExample
accountIdYestextThe ID of the account to disable2c9180835d2e5168015d32f890ca1581
addressNotextSailPoint IdentityNow API base URL overridehttps://your-tenant.api.identitynow.com
externalVerificationIdNotextExternal verification ID for the operationext-verify-001
forceProvisioningNobooleanForce provisioning of the disable operation (default false)false

Outputs

OutputTypeDescription
accountIdtextThe ID of the account that was disabled
disabledbooleanWhether the account was successfully disabled
taskIdtextThe ID of the provisioning task created
messagetextAdditional information about the operation
disabledAtdatetimeWhen the account was disabled (ISO 8601)
addresstextThe SailPoint IdentityNow API base URL used

Enable Account

nameKey: sailpoint-identity-now-enable-account

Description: Enable an account in SailPoint IdentityNow

Inputs

InputRequiredTypeDescriptionExample
accountIdYestextThe ID of the account to enable2c9180835d2e5168015d32f890ca1581
addressNotextSailPoint IdentityNow API base URL overridehttps://your-tenant.api.identitynow.com
externalVerificationIdNotextExternal verification ID for the operationext-verify-002
forceProvisioningNobooleanForce provisioning of the enable operation (default false)false

Outputs

OutputTypeDescription
accountIdtextThe ID of the account that was enabled
enabledbooleanWhether the account was successfully enabled
taskIdtextThe ID of the provisioning task created
messagetextAdditional information about the operation
enabledAtdatetimeWhen the account was enabled (ISO 8601)
addresstextThe SailPoint IdentityNow API base URL used

Grant Access

nameKey: sailpoint-identity-now-grant-access

Description: Request access to resources in SailPoint IdentityNow

Inputs

InputRequiredTypeDescriptionExample
identityIdYestextThe ID of the identity requesting access2c9180835d2e5168015d32f890ca1581
itemTypeYestextType of access item: ACCESS_PROFILE, ROLE, or ENTITLEMENTROLE
itemIdYestextThe ID of the access item to grant2c9180835d2e5168015d32f890ca2345
itemCommentNotextComment for the access requestApproved by SGNL policy
itemRemoveDateNotextISO 8601 date when access should be removed2026-12-31T00:00:00Z
clientMetadataNotextArbitrary key-value pairs as JSON string{"requestedBy":"sgnl"}
itemClientMetadataNotextItem-level key-value pairs as JSON string{"priority":"high"}
addressNotextSailPoint IdentityNow API base URL overridehttps://your-tenant.api.identitynow.com

Outputs

OutputTypeDescription
requestIdtextThe ID of the access request created
identityIdtextThe identity ID for which access was requested
itemTypetextThe type of access item requested
itemIdtextThe ID of the access item requested
statustextThe status of the access request
requestedAtdatetimeWhen the access request was created (ISO 8601)
addresstextThe SailPoint IdentityNow API base URL used

Revoke Access

nameKey: sailpoint-identity-now-revoke-access

Description: Request to revoke access to resources in SailPoint IdentityNow

Inputs

InputRequiredTypeDescriptionExample
identityIdYestextThe ID of the identity2c9180835d2e5168015d32f890ca1581
itemTypeYestextType of access item: ACCESS_PROFILE, ROLE, or ENTITLEMENTROLE
itemIdYestextThe ID of the access item to revoke2c9180835d2e5168015d32f890ca2345
itemCommentYestextComment for the revocation request (required)Access no longer needed
itemRemoveDateNotextISO 8601 date when access should be removed2026-06-01T00:00:00Z
clientMetadataNotextArbitrary key-value pairs as JSON string{"revokedBy":"sgnl"}
itemClientMetadataNotextItem-level key-value pairs as JSON string{"priority":"high"}
addressNotextSailPoint IdentityNow API base URL overridehttps://your-tenant.api.identitynow.com

Outputs

OutputTypeDescription
requestIdtextThe ID of the access request created
identityIdtextThe identity ID for which access was revoked
itemTypetextThe type of access item requested
itemIdtextThe ID of the access item requested
statustextThe status of the access request
requestedAtdatetimeWhen the access request was created (ISO 8601)
addresstextThe SailPoint IdentityNow API base URL used

Salesforce

Protected System Type: Salesforce-1.0.0

SettingValue
Addresshttps://your-instance.salesforce.com
AuthenticationOAuth2 Client Credentials or OAuth2 Authorization Code

The Salesforce Connected App must have the api and refresh_token scopes. For OAuth2 Client Credentials, use the token URL https://login.salesforce.com/services/oauth2/token.


Add to Permission Set

nameKey: salesforce-add-to-permission-set

Description: Add a user to a permission set in Salesforce

Inputs

InputRequiredTypeDescriptionExample
usernameYestextSalesforce username to add to the permission set[email protected]
permissionSetIdYestextSalesforce permission set ID0PS000000000001
addressNotextSalesforce API base URL overridehttps://your-instance.salesforce.com

Outputs

OutputTypeDescription
statustextOperation result
usernametextThe username that was processed
userIdtextSalesforce user ID that was found
permissionSetIdtextPermission set ID that was assigned
assignmentIdtextPermission set assignment ID (if created)
addresstextThe Salesforce API base URL used

Remove from Permission Set

nameKey: salesforce-remove-from-permission-set

Description: Remove a user from a permission set in Salesforce

Inputs

InputRequiredTypeDescriptionExample
usernameYestextSalesforce username to remove from the permission set[email protected]
permissionSetIdYestextThe ID of the permission set0PS000000000001
addressNotextSalesforce API base URL overridehttps://your-instance.salesforce.com

Outputs

OutputTypeDescription
statustextOperation result
usernametextThe username that was processed
userIdtextThe Salesforce User ID
permissionSetIdtextThe permission set ID
assignmentIdtextThe permission set assignment ID that was removed
removedbooleanWhether the permission set assignment was actually removed
addresstextThe Salesforce API base URL used

Salesforce Revoke Session

nameKey: salesforce-revoke-session

Description: Revoke all sessions for a user in Salesforce

Inputs

InputRequiredTypeDescriptionExample
usernameYestextSalesforce username to revoke sessions for[email protected]
addressNotextSalesforce API base URL overridehttps://your-instance.salesforce.com

Outputs

OutputTypeDescription
statustextOperation result
usernametextThe username for which sessions were revoked
userIdtextThe Salesforce user ID
sessionsRevokednumberNumber of sessions that were revoked
processed_atdatetimeWhen the operation completed (ISO 8601)
addresstextThe Salesforce API base URL used

Slack

Protected System Type: Slack-1.0.0

SettingValue
Addresshttps://slack.com
AuthenticationBearer — use a Slack Bot User OAuth Token prefixed with Bearer

The Slack Bot Token requires the users:read.email, users:admin, and chat:write scopes. For session revocation, the admin.users:write scope is also required.


Slack Revoke Session

nameKey: slack-revoke-session

Description: Revoke all active sessions for a Slack user by email address

Inputs

InputRequiredTypeDescriptionExample
userEmailYesemailEmail address of the Slack user[email protected]
delayNotextDelay between API calls (e.g., 100ms, 1s)100ms
addressNotextSlack API base URL overridehttps://slack.com

Outputs

OutputTypeDescription
userEmailtextThe email address that was processed
userIdtextThe Slack user ID resolved from the email
sessionsRevokedbooleanWhether the sessions were successfully revoked
revokedAtdatetimeWhen the revocation completed (ISO 8601)

Send Direct Message

nameKey: slack-send-direct-message

Description: Send a direct message to a Slack user by email

Inputs

InputRequiredTypeDescriptionExample
textYestextMessage text to sendYour access has been updated by SGNL.
userEmailYestextEmail address of the Slack user[email protected]
delayNotextDelay between API calls100ms
addressNotextSlack API base URL overridehttps://slack.com

Outputs

OutputTypeDescription
statustextOperation result
userEmailtextThe email address of the user the message was sent to
userIdtextThe Slack user ID resolved from the email
texttextThe message text that was sent
tstextThe timestamp of the sent message from Slack API
okbooleanWhether the Slack API call was successful

Send Message

nameKey: slack-send-message

Description: Send a message to a Slack channel via API or webhook

Inputs

InputRequiredTypeDescriptionExample
textYestextMessage text to sendAlert: access policy triggered for [email protected]
channelNotextSlack channel name or ID (required for API mode)#security-alerts
isWebhookNobooleanUse webhook mode instead of API mode (default false)false
addressNotextSlack API base URL (API mode) or webhook URL (webhook mode)https://slack.com

Outputs

OutputTypeDescription
statustextOperation result
texttextThe message text that was sent
channeltextThe channel where the message was sent (API mode only)
tstextMessage timestamp returned by Slack (API mode only)
okbooleanWhether the Slack API response was successful
modetextThe delivery mode used (webhook or api)

Snowflake

Protected System Type: Snowflake-1.0.0

SettingValue
Addresshttps://api.snowflakecomputing.com
AuthenticationBearer, Basic (username/password), OAuth2 Client Credentials, or OAuth2 Authorization Code

Snowflake Revoke Session

nameKey: snowflake-revoke-session

Description: Revoke all active sessions for a Snowflake user by disabling and re-enabling the account

Inputs

InputRequiredTypeDescriptionExample
usernameYestextThe Snowflake username to revoke sessions forALICE
delayNotextDelay between disable and re-enable operations100ms
addressNotextSnowflake API base URL overridehttps://api.snowflakecomputing.com

Outputs

OutputTypeDescription
usernametextThe Snowflake username that was processed
sessionsRevokedbooleanWhether the sessions were successfully revoked
userDisabledtextStatement handle or status for the disable operation
userReEnabledtextStatement handle or status for the re-enable operation
revokedAtdatetimeWhen the revocation completed (ISO 8601)

Zoom

Protected System Type: Zoom-1.0.0

SettingValue
Addresshttps://api.zoom.us
AuthenticationBearer, OAuth2 Client Credentials, or OAuth2 Authorization Code

For OAuth2 Client Credentials, use the token URL https://zoom.us/oauth/token and configure a Server-to-Server OAuth app in the Zoom Marketplace.


Zoom Revoke Session

nameKey: zoom-revoke-session

Description: Revoke SSO token for a Zoom user

Inputs

InputRequiredTypeDescriptionExample
userIdYestextThe Zoom user ID to revoke SSO token forabc123DEF456
addressNotextZoom API base URL overridehttps://api.zoom.us

Outputs

OutputTypeDescription
userIdtextThe Zoom user ID that was processed
tokenRevokedbooleanWhether the SSO token was successfully revoked
revokedAtdatetimeWhen the revocation completed (ISO 8601)